On 10/2/2023 3:59 PM, Selva Nair wrote:
On Mon, Oct 2, 2023 at 3:00 PM mike tancsa <m...@sentex.net> wrote:
I am in a position where I want to start migrating users away from my
old CA which will expire in the medium term future to a new CA. I
have
many endpoint and cant just "OK, everyone download a new files
now."
So I am looking at the steps in
https://www.hexonet.net/blog/migrating-new-ca-for-openvpn
which allows both sets of clients to connect to existing
infrastructure. Moving to different ports / IPs etc is not easy
to do
either as firewalls at local sites are controlled by many orgs and
getting those changed is non trivial.
Step 1 ok - new CA added (stacked)
Step 2, "Also, the server certificate is replaced by one signed by
the
new CA." Also done. Clients with certs signed with the new CA can
connect.
Step 3, "Additionally, an intermediate certificate
(OLD-NEW-IM.crt) that
uses the private key of the new CA, but is signed by the old CA, gets
added to the server certificate file. IMPORTANT: When signing the new
server certificate, the 'authorityKeyIdentifier' section must only
include the keyid, and not the issuer. This is necessary to prevent
issues related to different subjects of the old and new CA's."
Thats the part I am not sure of. Can this be done with easy rsa 3
or do
I need to manually do it with openssl. I am thinking this is an
openssl
cli thing. If so, has anyone done this that can share the steps ?
If you can afford two rounds of client config updates, this could be
done without step 3 -- see the following thread from users list:
https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg05983.html
Essentially, update to the stacked CA (old+new) on server and stacked
CA + new client certs on clients one by one. When all clients are
updated, change the server certificate to the new one. Then do another
round of client update where old CA is removed from the stack.
A link certificate allows one to do this in one round of client
updates as also discussed in that thread. I have used OpenSSL CLI in
the past for this but do not have a recipe at hand. No idea whether
easyrsa could do it.
I think I am getting closer with the "one step" process with an
intermediary cert. I am able to start up the server with both the new CA
signed server cert and the intermediary as outlined in "Step 3" above.
However, its like the server is not sending two server certs to the
connecting client and the stacked crt is not working. In my openvpn
config if I have something like
ca keys/new/ca2.crt
cert keys/new/ronly.pem
key keys/new/r-only.key
Where ca2.crt contains both the root certificates (old and new) and
ronly.pem contains both the new OpenVPN server cert and the intermediary
CA crt signed by the old CA, it only works for one client or the other
based on where I have the certificate in the .pem file. So if I put the
new cert first in the list, new clients can connect. If I put the
intermediary first in the file, old clients can connect, but not the new
ones. Is there an extra step I need to do or am I misunderstanding where
the intermediary cert needs to go or what needs to be signed ?
---Mike
Selva
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
